Clear text messages used in transferring applications via web services can potentially slip through existing security hardware allowing malformed code to run rampant within organisations.

Typically malicious code such as Trojans and worms are detected at the gateway; however, current XML and SOAP (Simple Object Access Protocol) attachments can potentially allow threats to enter the network, as well as information leakage.

Dean Dierickx, Asia-Pacific director of Forum Systems, said existing firewalls are blind to XML - and SOAP-based messages.

"Adding to the problem is security controls built into web services applications, which offer a compromise in performance and as a result are systematically being turned off," Dierickx said.

"Because some tools allow developers to write security (like access control) into layers and because of how much demand it makes on the application server, the number of CPUs to parse and validate bogs down application performance; system operators are turning the security off because of application degradation issues."

Dierickx said the likes of Microsoft and BEA have made it easy to write web services and security problems are now surfacing.

Related

"We are now hearing of Schema poisoning and XML perimeter tampering, and probably another 12 different ways for web services application breaches to [appear]," he said.

"For companies writing web services applications using SOAP with attachments, systems need to be set up to scan and detect code coming in on an XML payload, because no existing infrastructure can detect if a company has been breached."

Amer Qureshi, director of Forum systems field operations, said scanning attachments for web services applications is vital at the network perimeter, before the applications are allowed into the enterprise infrastructure.

"XML attachments work the same as e-mail, but there are no application servers exchanging information and people interact directly with the application; the attachments can be anything so it is vital to scan these documents at the edge of the perimeter before they are let inside the infrastructure."